NS Ch 5 Questions
How many network interfaces does a dual-homed gateway typically have?
3
Which 802.1Q priority is IP phone traffic on a voice VLAN tagged with by default?
5
How many concurrent connections does NAT support?
5,000
You are adding switches to your network to support additional VLANs. Unfortunately, the new switches are from a different vendor than the current switches. Which standard do you need to ensure that the switches are supported?
802.1Q
Which of the following is an appropriate definition of a VLAN?
A logical grouping of devices based on service need, protocol, or other criteria.
You connect your computer to a wireless network available at the local library. You find that you can access all of the websites you want on the internet except for two. What might be causing the problem?
A proxy server is blocking access to the websites.
Which of the following BEST describes a honeyfile?
A single file setup to entice and trap attackers.
Which of the following switch attacks associates the attacker's MAC address with the IP address of the victim's devices?
ARP spoofing/poisoning
Drag each description on the left to the appropriate switch attack type on the right.
ARP spoofing/poisoning The source device sends frames to the attacker's MAC address instead of to the correct device. Dynamic Trunking Protocol Should be disabled on the switch's end user (access) ports before implementing the switch configuration into the network. MAC flooding Causes packets to fill up the forwarding table and consumes so much of the switch's memory that it enters a state called Fail Open Mode. MAC spoofing Can be used to hide the identity of the attacker's computer or impersonate another device on the network.
Which of the following should be configured on the router to filter traffic at the router level?
Access control list
You are the security analyst for your organization and have discovered evidence that someone is attempting to brute-force the root password on the web server. Which classification of attack type is this?
Active
Which of the following NAC agent types would be used for IoT devices?
Agentless
Which of the following happens by default when you create a new ACL on a router?
All traffic is blocked.
You are the office manager of a small financial credit business. Your company handles personal financial information for clients seeking small loans over the internet. You are aware of your obligation to secure clients records, but the budget is an issue for your company. Which item would provide the BEST security for this situation?
All-in-one security appliance
Which of the following describes how access control lists can be used to improve network security?
An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number.
You are investigating the use of website and URL content filtering to prevent users from visiting certain websites. Which benefits are the result of implementing this technology in your organization? (Choose two.)
An increase in bandwidth Enforcement of the organizations internet usage policy
As the security analyst for your organization, you have noticed an increase in emails that attempt to trick users into revealing confidential information. Which web threat solution should you implement to protect against these threats?
Anti-phishing software
What do application control solutions use to identify specific applications?
Application signatures
Which of the following devices can apply quality of service and traffic-shaping rules based on what created the network traffic?
Application-aware devices
Which of the steps in the Network Access Control (NAC) implementation process occurs once the policies have been defined?
Apply
Which of the following defines all the prerequisites a device must meet in order to access a network?
Authentication
Which of the following applies the appropriate policies in order to provide a device with the access it's defined to receive?
Authorization
An attacker was able to gain unauthorized access to a mobile phone and install a Trojan horse so that he or she could bypass security controls and reconnect later. Which type of attack is this an example of?
Backdoor
In an effort to increase the security of your organization, programmers have been informed they can no longer bypass security during development. Which vulnerability are you attempting to prevent?
Backdoor
While developing a network application, a programmer adds functionally that allows her to access the running program without authentication so she can capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. Which type of security weakness does this describe?
Backdoor
Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks?
Bastion or sacrificial host
Which of the following is a typical goal of MAC spoofing?
Bypass 802.1x port-based security
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?
Circuit-level gateway
A network device is given an IP address of 172.16.0.55. Which type of network is this device on?
Class B private network
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ.
You are the IT security administrator for a small corporate network. You need to secure access to your switch, which is still configured with the default settings. Access the switch management console through Chrome on http://192.168.0.2 with the username cisco and password cisco. In this lab, your task is to: Create a new user account with the following settings: Username: ITSwitchAdmin Password: Admin$only1844 User Level: Read/Write Management Access (15) Edit the default user account as follows: Username: cisco Password: CLI$only1958 User Level: Read-Only CLI Access (1) Save the changes to the switch's startup configuration file.
Complete this lab as follows: Log in to the CISCO switch. From the taskbar, select Google Chrome. In the URL field, enter 192.168.0.2 and press Enter. Maximize the window for easier viewing. In the Username and Password fields, enter cisco (case sensitive). Select Log In. Create a new user account. From Getting Started under Quick Access, select Change Device Password. Select Add. For the username, enter ITSwitchAdmin (case sensitive). For the password, enter Admin$only1844 (case sensitive). For Confirm Password, enter Admin$only1844. For User Level, make sure Read/Write Management Access (15) is selected. Select Apply. Select Close. Edit the default user account. Under User Account Table, select cisco (the default user) and then select Edit. For the password, enter CLI$only1958. For Confirm Password, enter CLI$only1958. For User Level, select Read-Only CLI Access (1). Select Apply. Save the changes to the switch's startup configuration file. From the top of the switch window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. Select Done.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: Unused Ports GE2 GE7 GE9-GE20 GE25 GE27-GE28 Used Ports GE1 GE3-GE6 GE8 GE21-GE24 GE26 In this lab, your task is to: Shut down the unused ports. Configure the following Port Security settings for the used ports: Interface Status: Lock Learning Mode: Classic Lock Action on Violation: Discard
Complete this lab as follows: Shut down the unused ports. Under Initial Setup, select Configure Port Settings. Select the GE2 port. Scroll down and select Edit. Under Administrative Status, select Down. Scroll down and select Apply. Select Close. With the GE2 port selected, scroll down and select Copy Settings. In the Copy configuration field, enter the remaining unused ports. Select Apply. From the Port Setting Table, in the Port Status column, you can see that all the ports are down now. Configure the Port Security settings. From the left menu, expand Security. Select Port Security. Select the GE1 port. Scroll down and select Edit. Under Interface Status, select Lock. Under Learning Mode, make sure Classic Lock is selected. Under Action on Violation, make sure Discard is selected. Select Apply. Select Close. Scroll down and select Copy Settings. Enter the remaining used ports Select Apply.
You work as the IT security administrator for a small corporate network. You need to secure access to your pfSense appliance, which is still configured with the default user settings. In this lab, your task is to: Change the password for the default pfSense account from pfsense to P@ssw0rd (use a zero). Create a new administrative user with the following parameters: Username: zolsen Password: St@yout! Full Name: Zoey Olsen Group Membership: admins Set a session timeout of 15 minutes for pfSense. Disable the web Configurator anti-lockout rule for HTTP.
Complete this lab as follows: Access the pfSense management console. From the taskbar, select Google Chrome. Maximize the window for better viewing. In the Google Chrome address bar, enter 198.28.56.18 and then press Enter. Enter the pfSense sign-in information as follows: Username: admin Password: pfsense Select SIGN IN. Change the password for the default (admin) account. From the pfSense menu bar, select System > User Manager. For the admin account, under Actions, select the Edit user icon (pencil). For the Password field, change to P@ssw0rd (use a zero). For the Confirm Password field, enter P@ssw0rd. Scroll to the bottom and select Save. Create and configure a new pfSense user. Select Add. For Username, enter zolsen. For the Password field, enter St@yout!.For the Confirm Password field, enter St@yout! For Full Name, enter Zoey Olsen. For Group Membership, select admins and then select Move to Member of list. Scroll to the bottom and select Save. Set a session timeout for pfSense. Under the System breadcrumb, select Settings. For Session timeout, enter 15. Select Save. Disable the webConfigurator anti-lockout rule for HTTP. From the pfSense menu bar, select System > Advanced. Under webConfigurator, for Protocol, select HTTP. Select Anti-lockout to disable the webConfigurator anti-lockout rule. Scroll to the bottom and select Save.
You are an IT security administrator for a small corporate network. To increase security for the corporate network, you have installed the pfSense network security appliance in your network. Now you need to configure the device. In this lab, your task is to configure pfSense as follows: Sign in to pfSense using the following case-sensitive information: URL: 198.28.56.18 Username: admin Password: pfsense Configure the DNS servers as follows: Primary DNS server: 163.128.78.93 - Hostname: DNS1Secondary DNS server: 163.128.80.93 - Hostname: DNS2 Configure the WAN IPv4 information as follows :Enable the interface. Use a static IPv4 address of 65.86.24.136/8Add a new gateway using the following information: Type: Default gateway Name: WAN GatewayIP address: 65.86.1.1
Complete this lab as follows: Access the pfSense management console. From the taskbar, select Google Chrome. Maximize the window for better viewing. In the address bar, type 198.28.56.18 and then press Enter. Sign in using the following case-sensitive information: Username: admin Password: pfsense Select SIGN IN or press Enter. Configure the DNS Servers. From the pfSense menu bar, select System > General Setup. Under DNS Server Settings, configure the primary DNS Server as follows: Address: 163.128.78.93 Hostname: DNS1 Gateway: None Select Add DNS Server to add a secondary DNS Server and then configure it as follows: Address: 163.128.80.93 Hostname: DNS2 Gateway: None Scroll to the bottom and select Save. Configure the WAN settings. From pfSense menu bar, select Interfaces > WAN. Under General Configuration Select Enable interface. Use the IPv4 Configuration Type drop-down to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. Use the IPv4 Address subnet drop-down to select 8. Under Static IPv4 Configuration, select Add a new gateway. Configure the gateway settings as follows: Default: Select Default gateway
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by restricting access management and by updating the switch's firmware. In this lab, your task is to: Create an access profile named MgtAccess and configure it with the following settings: Setting Value Access Profile Name MgtAccess Rule Priority 1 Management Method All Action Deny Applies to Interface All Applies to Source IP address All Add a profile rule to the MgtAccess profile with the following settings: Setting Value Rule Priority 2 Management Method HTTP Action Permit Applies to interface All Applies to Source IP address User defined IP Version: Version 4IP Address: 192.168.0.10 Network Mask: 255.255.255.0 Set the MgtAccess profile as the active access profile. Save the changes to the switch's startup configuration file using the default settings. Update the firmware image to the latest version by downloading the firmware files found in C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. If you need to log back into the switch, the username is ITSwitchAdmin and the password is Admin$only.
Complete this lab as follows: Create and configure an Access Profile named MgtAccess. From the left pane, expand and select Security > Mgmt Access Method > Access Profiles. Select Add. Enter the Access Profile Name of MgtAccess. Enter the Rule Priority of 1. For Action, select Deny. Select Apply and then select Close. Add a profile rule to the MgtAccess profile. From the left pane, under Security > Mgmt Access Method, select Profile Rules. Select the MgtAccess profile and then select Add. Enter a Rule Priority of 2. For Management Method, select HTTP. For Applies to Source IP Address, select User Defined. For IP Address, enter 192.168.0.10. Enter the Network Mask 255.255.255.0. Select Apply and then select Close. Set the MgtAccess profile as the active access profile. From the left pane, under Security > Mgmt Access Method, select Access Profiles. Use the Active Access Profile drop-down list to select MgtAccess. Select Apply. Select OK. Save the changes to the switch's startup configuration file. At the top, select Save. For Source File Name, make sure Running configuration is selected. For Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. Upgrade the firmware image to the latest version. From the left pane, select Getting Started. Under Quick Access, select Upgrade Device Software. For File Name, select Choose File. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. Select Open. Select Apply. Select OK. From the left pane, under File Management, select Active Image. For Active Image After Reboot, use the drop-down menu to select Image 2. Select Apply. From the left pane under Administration, select Reboot. From the right pane, select Reboot. Select OK.
The Fiji router has been configured with Standard IP Access List 11. The access list is applied to the Fa0/0 interface. The access list must allow all traffic except traffic coming from hosts 192.168.1.10 and 192.168.1.12. However, you've noticed that it's preventing all traffic from being sent on Fa0/0. You remember that access lists contain an implied deny any statement. This means that any traffic not permitted by the list is denied. For this reason, access lists should contain at least one permit statement or all traffic is blocked. In this lab, your task is to: Add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic. Save your changes in the startup-config file.
Complete this lab as follows: Enter the configuration mode for the Fiji router: From the exhibit, select the Fiji router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. From the terminal, add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic. Type access-list 11 permit any and press Enter. Press Ctrl + Z. Save your changes in the startup-config file. Type copy run start and then press Enter. Press Enter to begin building the configuration. Press Enter.
You have a small business network connected to the internet through a single router as shown in the network diagram. You have noticed that three hosts on the internet have been flooding your router with unwanted traffic. As a temporary measure, you want to prevent all communication from these three hosts until the issue is resolved. In this lab, your task is to: Create a Standard Access List 25. Add statements to the access list to block traffic from the following hosts: 199.68.111.199 202.177.9.1 211.55.67.11 Add a statement to allow all other traffic from all other hosts. Apply Access List 25 to the Serial0/0/0 interface to filter incoming traffic.
Complete this lab as follows: Enter the configuration mode for the router: From the exhibit, select the router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. From the terminal, create a standard numbered access list using number 25. Add statements to the access list to block traffic to the required hosts. Type access-list 25 deny host 199.68.111.199 and press Enter. Type access-list 25 deny host 202.177.9.1 and press Enter. Type access-list 25 deny host 211.55.67.11 and press Enter. From the terminal, add a statement to allow all other traffic from all other hosts, by typing access-list 25 permit any and pressing Enter. From the terminal, apply Access List 25 to the Serial0/0/0 interface to filter incoming traffic. Type int s0/0/0 and press Enter. Type ip access-group 25 in and press Enter. Type Ctrl + Z.
You are in the process of configuring a new router. The router interfaces connect to the following networks: Interface Network FastEthernet0/0 192.168.1.0/24 FastEthernet0/1 192.168.2.0/24 FastEthernet0/1/0 192.168.3.0/24 Only Telnet and SSH access from these three networks should be allowed. In this lab, your task is to: Use the access-list command to create a standard numbered access list using number 5. Add a permit statement for each network to the access list. Use the access-class command to apply the access list to VTY lines 0-4. Use the in direction to filter incoming traffic. Save your changes in the startup-config file.
Complete this lab as follows: Enter the configuration mode for the router: From the exhibit, select the router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. From the terminal, create a standard numbered access list using number 5. Add a permit statement for each network to the access list. Type access-list 5 permit 192.168.1.0 0.0.0.255 and then press Enter. Type access-list 5 permit 192.168.2.0 0.0.0.255 and then press Enter. Type access-list 5 permit 192.168.3.0 0.0.0.255 and then press Enter. Apply the access list to VTY lines 0-4. Filter incoming traffic. Type line vty 0 4 and then press Enter. Type access-class 5 in and then press Enter. Press Ctrl + Z. Save your changes in the startup-config file. Type copy run start and then press Enter. Press Enter to begin building the configuration. Press Enter.
As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2, use ipconfig /all and find the IP address and MAC address. Using SMAC, spoof the MAC address on ITAdmin to match that of Office2. Refresh the IP address on ITAdmin. Verify the MAC and IP address now match Office2.
Complete this lab as follows: Find the MAC address for Office2. Right-click Start and then select Windows PowerShell (Admin). From the Command Prompt, type ipconfig /all and press Enter. Find the MAC address. Spoof the MAC address. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select ITAdmin. In the Windows search bar, type SMAC. Under Best match, right-click SMAC and select Run as administrator. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 (the MAC address from Office2). Select Update MAC. Select OK to confirm the adapter restart. Renew the IP information for the ITAdmin computer. Right-click Start and select Windows PowerShell (Admin). From the Command Prompt, type ipconfig /renew to renew the IP address. Type ipconfig /all to confirm the MAC address and the IP address have been updated.
You are the IT security administrator for a small corporate network. You need to increase the networking closet's security by implementing a CCTV system with IP cameras. As part of this task, you need to separate the CCTV data traffic on the network using a separate VLAN on the switch. The patch panel connections for the networking closet, lobby, and IT administration office are installed and ready for use (ports 18-20). A DHCP server is already configured to provide the IP cameras and the laptop in the IT administration office with the correct TCP/IP settings (port 21). For an easier implementation, create the logical VLAN first and then establish the physical connections of the IP cameras and the laptop. In this lab, your task is to perform the following: Access the switch management console from ITAdmin using the following credentials: Address: http://192.168.0.2 Username: ITSwitchAdmin Password: Admin$only (the password is case-sensitive) Create and configure a VLAN on the switch as follows: VLAN ID: 2 VLAN Name: IPCameras Configure ports GE18, GE19, GE20, GE21 as untagged.. Port 18 is connected to the network jack next to the laptop in the IT administration office. Port 19 is connected to the camera mount in the lobby. Port 20 is connected to the camera mount in the networking closet. Port 21 is connected to a DHCP server that provides IP addresses to the camera and the laptop. In the lobby and networking closet, perform the following: Connect a Cat5e cable to the RJ-45 ports on the IP camera and the IP camera wall plate. Mount the IP camera on the wall plate. In the networking closet, connect the DHCP server to the VLAN using a Cat5e cable from switch port 21 to patch panel port 21 in the rack. In the IT administration office, connect a Cat5e cable to the laptop's network port and the open port on the wall plate. On IT-Laptop2, verify the VLAN configuration and IP camera installation as follows: Select Start > IP Cameras. Verify that the program detects the IP cameras on the VLAN 2 network.
Complete this lab as follows: From the ITAdmin computer, log into the CISCO switch. From the taskbar, open Google Chrome. Maximize the window for easier viewing. In the URL field, enter 192.168.0.2 and press Enter. For Username, enter ITSwitchAdmin. For Password, enter Admin$only (password is case-sensitive). Select Log In. Create a VLAN. From the Getting Started pane, under Initial Setup, select Create VLAN. Select Add. For VLAN ID, enter 2. For VLAN Name, enter IPCameras. Select Apply. Select Close. Configure a VLAN. From the left pane, under VLAN Management, select Port to VLAN. From the the VLAN ID equals to drop-down menu, select 2. Select Go. For ports GE18, GE19, GE20, and GE21, select Untagged. Select Apply. Connect the IP camera in the lobby to the VLAN and mount the IP cameras. From the top navigation area, select Floor 1. Under Lobby, select Hardware. Under Shelf, expand CCTV Cameras. Drag the IP Camera (Lobby) to the workspace. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. Under Shelf, expand Cables and then select a Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera wall mount plate. From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera. Drag the IP camera to the IP camera wall plate. Connect the IP camera in the networking closet to the VLAN and mount the IP cameras. From the top navigation area, select Floor 1. Under Networking Closet, select Hardware. Under Shelf, expand CCTV Cameras. Drag the IP Camera (Networking Closet) to the workspace. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. Under Shelf, expand Cables and then select Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera mount wall plate. Under Selected Component, drag the unconnected RJ45 cable to the RJ-45 port on the back of the IP camera. To mount the IP camera, drag the IP camera to the IP camera wall plate. Connect the DHCP server and laptop to the VLAN. In the networking closet, under Shelf, select a Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to port 21 on the switch. Under Selected Component, drag the unconnected RJ45 Connector to port 21 on the patch panel. Connect the laptop to the VLAN. From the top menu, select Floor 1. Under IT Administration, select Hardware. Above the laptop, select Back to switch to the back view of the laptop. Under Shelf, select Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the laptop. Under Selected Component, drag the unconnected RJ45 Connector to the open RJ-45 port on the wall plate (single port) Launch the IP camera monitoring software. Under the laptop's workspace, select Front. On the IT-Laptop2, select Click to view Windows 10. From the taskbar, select Start. Select IP Cameras. Verify that both cameras are detected on the network.
You are the IT administrator for a small corporate network. Several employees have complained of slow internet bandwidth. You have discovered that the user stations on the guest Wi-Fi network are consuming much of your company's bandwidth. You have decided to use pfSense's Traffic Shaper wizard to create the various rules needed to better control the bandwidth usage and to fine-tune the priority for the type of traffic used on your guest Wi-Fi network. Your network has one LAN and one WAN. In this lab, your task is to: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Create a firewall alias using the following specifications: Name: HighBW Description: High bandwidth users Assign the IP addresses of the high-bandwidth users to the alias: Vera's IP address: 172.14.1.25Paul's IP address: 172.14.1.100 The Shaper must be configured for the Guest Wi-Fi interface using: An upload bandwidth of 5 Mbits A download bandwidth of 45 Mbits Allow your voice over IP traffic to have priority with: An upload bandwidth of 15 Mbits A download bandwidth of 20 Mbits To limit the user stations most likely to hog bandwidth, use the alias created earlier to penalize the offending stations to 2% of the bandwidth. Give a higher priority to the following services and protocols: MSRDPVNCPPTPIPSEC Change the port number used on the floating rule created for MSRDP as follows: Interface: GuestWi-Fi Destination Port Range: 3391 Answer the question.
Complete this lab as follows: Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Create a high bandwidth usage alias. From the pfSense menu bar, select Firewall > Aliases. Select Add. Configure the Properties as follows: Name: HighBW Description: High bandwidth users Type: Host(s) Add the IP addresses of the offending computers to the host(s) configuration: Under Host(s), in the IP or FQDN field, enter 172.14.1.25 Select Add Host. In the new IP or FQDN field, enter 172.14.1.100 Select Save. Select Apply Changes. Start the Traffic Shaper wizard for dedicated links. From the pfSense menu bar, select Firewall > Traffic Shaper. Under the Firewall bread crumb, select Wizards. Select traffic_shaper_wizard_dedicated.xml. Under Traffic shaper Wizard, in the Enter number of WAN type connections field, enter 1 and then select Next. Configure the Traffic Shaper. Make sure you are on Step 1 of 8. Using the drop-down menu for the upper Local interface, select GuestWi-Fi. Using the drop-down menu for lower Local interface, make sure PRIQ is selected. For the upper Upload field, enter 5. Using the drop-down menu for the lower Upload field, select Mbit/s. For the top Download field, enter 45. Using the drop-down menu for the lower Download field, select Mbit/s. Select Next. Prioritize voice over IP traffic. Make sure you are on Step 2 of 8. Under Voice over IP, select Enable to prioritize the voice over IP traffic. Under Connection #1 parameters, in the Upload rate field, enter 15. Using the drop-down menu for the top Units, select Mbit/s. For the Download rate, enter 20. Using the drop-down menu for the bottom Units, select Mbit/s. Select Next. Enable and configure a penalty box. Make sure you are on Step 3 of 8. Under Penalty Box, select Enable to enable the penalize IP or alias option. In the Address field, enter HighBW. This is the alias created earlier. For Bandwidth, enter 2. Select Next. Skip steps 4 and 5. For Step 4 of 8, scroll to the bottom and select Next. For Step 5 of 8, scroll to the bottom and select Next. Raise and lower the applicable application's priority. Make sure you are on Step 6 of 8. Under Raise or lower other Applications, select Enable to enable other networking protocols. Under Remote Service / Terminal emulation, use the: MSRDP drop-down menu to select Higher priority. VNC drop-down menu to select Higher priority. Under VPN: Use the PPTP drop-down menu to select Higher priority Use the IPSEC drop-down menu to select Higher priority Scroll to the bottom and select Next. For step 7 of 8, select Finish. Wait for the reload status to indicate that the rules have been created (look for Done). View the floating rules created for the firewall. Select Firewall > Rules. Under the Firewall breadcrumb, select Floating. In the top right, select Answer Questions. Answer the question and then minimize the question dialog. Change the port number used for the MSRDP outbound rule. For the m_Other MSRDP outbound rule, select the edit icon (pencil). Under Edit Firewall Rule, in the Interface field, select GuestWi-Fi. Under Destination, use the Destination Port Range drop-down menu to select Other. In both Custom fields, enter 3391. Select Save. Select Apply Changes. In the top right, select Answer Questions, Enter 7. Select Score Lab.
You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using: Username: admin Password: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network. Use the following table for the two rules: Protocol UDP (53) Descriptions For the block rule: Block DNS from LAN For the allow rule: Allow all DNS to LAN Arrange the firewall rules in the order that allows them to function properly. Enable and configure pfBlockerNG using the information in the following table: DNSBL Virtual IP 192.168.0.0 Top-Level Domain (TLD) Blacklistfinancereports.co totalpad.com salesscript.info Top-Level Domain (TLD) Whitelist .www.google.com .play.google.com .drive.google.com
Complete this lab as follows: Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Create a firewall rule that blocks all DNS traffic coming from the LAN. From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select LAN. Select Add (either one). Under Edit Firewall Rule, use the Action drop-down to select Block. Under Edit Firewall Rule, set Protocol to UDP. Under Source, use the drop-down menu to select LAN net. Under Destination, configure the Destination Port Range to use DNS (53) (for From and To). Under Extra Options, in the Description field, enter Block DNS from LAN. Select Save. Select Apply Changes. Create a firewall rule that allows all DNS traffic going to the LAN network. Select Add (either one). Under Edit Firewall Rule, set Protocol to UDP. Under Destination, use the drop-down menu to select LAN net. Configure the Destination Port Range to use DNS (53) (for From and To). Under Extra Options, in the Description field, enter Allow all DNS to LAN. Select Save. Select Apply Changes. Arrange the firewall rules in the order that allows them to function properly. Using drag-and-drop, move the rules to the following order (top to bottom): Anti-Lockout Rule Allow all DNS to LAN Block DNS from LAN In the simulated version of pfSense, you can only drag and drop the rules you created. You cannot drag and drop the default rule. Select Save. Select Apply Changes. Enable pfBlockerNG. From the pfSense menu bar, select Firewall > pfBlockerNG. Under General Settings, select Enable pfBlockerNG. Scroll to the bottom and select Save. Enable and configure DNS block lists. Under the Firewall breadcrumb, select DNSBL. Select Enable DNSBL. For DNSBL Virtual IP, enter 192.168.0.0. Scroll to the bottom and expand TLD Blacklist. Enter the following URLs in the TLD Blacklist box: financereports.co totalpad.com salesscript.info Expand TLD Whitelist and then enter the following URLs: .www.google.com .play.google.com .drive.google.com Select Save.
You are the IT administrator for a small corporate network. One of your assignments is to manage several computers in the demilitarized zone (DMZ). However, your computer resides on the LAN network. To be able to manage these machines remotely, you have decided to configure your pfSense device to allow several remote control protocols to pass through the pfSense device using NAT port forwarding. In this lab, your task is to create NAT forwarding rules to: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Allow the RDP/TCP Protocols from the LAN network to the administrator's PC located in the DMZ using the following guidelines: IP address for the administrator's PC: 172.16.1.100 Description: RDP from LAN to Admin Allow the SSH Protocol through the pfSense device to the Kali Linux server using the following guidelines: IP address for the Linux Kali server: 172.16.1.6 Description: SSH from LAN to Kali Allow the RDP/TCP Protocols from the LAN network to the web server located in the DMZ using the following guidelines: Destination and redirect port: Port 5151IP address for the web server: 172.16.1.5 Description: RDP from LAN to web server using custom port
Complete this lab as follows: Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Configure NAT port forwarding for the administrator's PC. From the pfSense menu bar, select Firewall > NAT. Select Add (either one). Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): MS RDP Redirect target IP: 172.16.1.100 Redirect target port: MS RDP Description: RDP from LAN to Admin Select Save. Configure NAT port forwarding for the Kali Linux server. Select Add (either one). Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): SSH Redirect target IP: 172.16.1.6 Redirect target port: SSH Description: SSH from LAN to Kali Select Save. Configure NAT port forwarding for the web server. Select Add (either one). Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): Other Custom (From and To) 5151 Redirect target IP: 172.16.1.5 Redirect target port: MS RDP Description: RDP from LAN to web server using custom port Select Save. Select Apply Changes.
You are the IT administrator for a small corporate network. You want to make a web server that runs services accessible from the internet. To help protect your company, you want to place this server and other devices in a demilitarized zone (DMZ). This DMZ and server need to be protected by the pfSense Security Gateway Appliance (pfSense). Since a few of the other devices in the DMZ require an IP address, you have also decided to enable DHCP on the DMZ network. In this lab, your task is to perform the following: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Add a new pfSense interface that can be used for the DMZ. Name the interface DMZ. Use a static IPv4 address of 172.16.1.1/16 Add a firewall rule for the DMZ interface that allows all traffic from the DMZ. Use a description of Allow DMZ to any rule Configure and enable the DHCP server for the DMZ interface. Use a range of 172.16.1.100 to 172.16.1.200
Complete this lab as follows: Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Configure an interface for the DMZ. From the pfSense menu bar, select Interfaces > Assignments. Select Add. Select OPT1. Select Enable interface. Change the Description field to DMZ. Under General Configuration, use the IPv4 Configuration Type drop-down menu to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 172.16.1.1. Use the subnet mask drop-down menu to select 16. Select Save. Select Apply Changes. (Optional) Verify the change as follows: From the menu bar, select pfsense COMMUNITY EDITION. Under Interfaces, verify that the DMZ is shown with the correct IP address. Add a firewall rule to the DMZ interface. From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select DMZ. (Notice that no rules have been created.) Under the Firewall breadcrumb, select LAN. Under the Actions column, select the copy icon (two files) for the rule with a source of LAN net. For the Action field, make sure Pass is selected. For the Interface field, use the drop-down menu to select DMZ. For Protocol, make sure it's set to Any. Under Source, use the drop-down menu to select DMZ net. Under Destination, make sure it is configured for any. Under Extra Options, change the description to Allow DMZ to any rule. (Is case sensitive.) Scroll to the bottom and select Save. Select Apply Changes. Configure pfSense's DHCP server for the DMZ interface. From the menu bar, select Services > DHCP Server. Under the Services breadcrumb, select DMZ. Select Enable. Configure the Range field as follows: From: 172.16.1.100 To: 172.16.1.200 Scroll to the bottom and select Save.
You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up a Remote Access VPN using pfSense to allow secure access. In this lab, your task is to use the pfSense wizard to create and configure an OpenVPN Remote Access server using the following guidelines: Sign in to pfSense using: Username: admin Password: P@ssw0rd (zero) Create a new certificate authority certificate using the following settings: Name: CorpNet-CACountry Code: GB State: Cambridgeshire City: Woodwalton Organization: CorpNet Create a new server certificate using the following settings: Name: CorpNetCountry Code: GBState: Cambridgeshire City: Woodwalton Configure the VPN server using the following settings: Interface: WAN Protocol: UDP on IPv4 only Description: CorpNet-VPN Tunnel network IP: 198.28.20.0/24Local network IP: 198.28.56.18/24Concurrent Connections: 4DNS Server 1: 198.28.56.1 Configure the following: A firewall rule An OpenVPN rule Set the OpenVPN server just created to Remote Access (User Auth). Create and configure the following standard remote VPN users: blindley L3tM31nNow Brian Lindley jphillips L3tM31nToo Jacob Phillips
Complete this lab as follows: Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Start the VPN wizard and select the authentication backend type. From the pfSense menu bar, select VPN > OpenVPN. From the breadcrumb, select Wizards. Under Select an Authentication Backend Type, make sure Local User Access is selected. Select Next. Create a new certificate authority certificate. For Descriptive Name, enter CorpNet-CA. For Country Code, enter GB. For State, enter Cambridgeshire. For City, enter Woodwalton. For Organization, enter CorpNet. Select Add new CA. Create a new server certificate. For Descriptive Name, enter CorpNet. Verify that all of the previous changes (Country Code, State/Providence, and City) are the same. Use all other default settings. Select Create new Certificate. Configure the VPN server. Under General OpenVPN Server Information: Use the Interface drop-down menu to select WAN. Verify that the Protocol is set to UDP on IPv4 only. For Description, enter CorpNet-VPN. Under Tunnel Settings: For Tunnel Network, enter 198.28.20.0/24. For Local Network, enter 198.28.56.18/24. For Concurrent Connections, enter 4. Under Client Settings, in DNS Server1, enter 198.28.56.1. Select Next. Configure the firewall rules. Under Traffic from clients to server, select Firewall Rule. Under Traffic from clients through VPN, select OpenVPN rule. Select Next. Select Finish. Set the OpenVPN server just created to Remote Access (User Auth). For the WAN interface, select the Edit Server icon (pencil). For Server mode, use the drop-down and select Remote Access (User Auth). Scroll to the bottom and select Save. Configure the following Standard VPN users. From the pfSense menu bar, select System > User Manager. Select Add. Configure the User Properties as follows: Username: Username Password: Password Full name: Fullname Scroll to the bottom and select Save. Repeat steps 8b-8d to created the remaining VPN users.
You work as the IT security administrator for a small corporate network. You recently set up the Remote Access VPN feature on your network security appliance to provide you and your fellow administrators with secure access to your network. You are currently at home and would like to connect your iPad to the VPN. Your iPad is connected to your home wireless network. In this lab, your task is to: Add an IPSec VPN connection using the following values: Description CorpNetVPN Server 198.28.56.34 Account mbrown Secret asdf1234$ Turn on the VPN. Verify that a connection is established. The password for mbrown is L3tM31nN0w (0 = zero).
Complete this lab as follows: Verify your connection to the Home-Wireless network Select Settings. Select Wi-Fi. Add and configure a VPN. From the left menu, select General. From the right menu, select VPN. Select Add VPN Configuration. Select IPSec. In the Description field, enter CorpNetVPN. In the Server field, enter 198.28.56.34. In the Account field, enter mbrown. In the Secret field, enter asdf1234$. In the upper right, select Save. Connect to the VPN just created. Under VPN Configuration, slide Not Connected to ON. When prompted, enter L3tM31nN0w (0 = zero) as the password. Select OK.
You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so that only library computers are permitted connectivity to the internet. What can you do?
Configure port security on the switch.
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which key steps should you take when implementing this configuration? (Select two.)
Configure the browser to send HTTPS requests through the VPN connection. Configure the VPN connection to use IPsec.
Which of the following scenarios would typically utilize 802.1x authentication?
Controlling access through a switch
An attacker sets up 100 drone computers that flood a DNS server with invalid requests. This is an example of which kind of attack?
DDoS
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet?
DMZ
Where should an organization's web server be placed?
DMZ
Which protocol should you disable on the user access ports of a switch?
DTP
When setting up a new wireless access point, what is the first configuration change that should be made?
Default login
Which of the following best describes a stateful inspection?
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated.
Which of the following best describes the concept of a virtual LAN?
Devices on the same network logically grouped as if they were on separate networks.
Which of the following NAC agent types creates a temporary connection?
Dissolvable
Which area of focus helps to identify weak network architecture or design?
Documentation
You want to connect your small company network to the internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts. Which type of Network Address Translation (NAT) should you implement?
Dynamic
Which NAT implementation assigns two IP addresses to the public NAT interface, allowing traffic to flow in both directions?
Dynamic and static
Which IPSec subprotocol provides data encryption?
ESP
In addition to Authentication Header (AH), IPsec is comprised of what other service?
Encapsulating Security Payload (ESP)
Travis is sending a highly confidential email to Craig that contains sensitive data. Which of the following should Travis implement to ensure that only Craig is able to read the email?
Encryption
Which area of focus do public-facing servers, workstations, Wi-Fi networks, and personal devices fall under?
Entry points
Which type of ACL should be placed as close to the source as possible?
Extended
Which of the following is a privately controlled portion of a network that is accessible to some specific external entities?
Extranet
Which of the following are functions of gateway email spam filters? (Select two.)
Filters messages containing specific content Blocks email from specific senders
You are implementing a new application control solution. Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review. How should you configure the application control software to handle applications not contained in the whitelist?
Flag
Which of the following types of proxies would you use to remain anonymous when surfing the internet?
Forward
Which device is NAT typically implemented on?
Gateway router
Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use?
Hardware
Which of the following are characteristics of a complex password? (Select two.)
Has a minimum of eight characters Consists of letters, numbers, and symbols
You want to create a collection of computers on your network that appear to have valuable data but actually store fake data that could entice a potential intruder. Once the intruder connects, you want to be able to observe and gather information about the attacker's methods. Which feature should you implement?
Honeynet
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from internet-based attacks. Which solution should you use?
Host-based firewall
What is Cisco's Network Access Control (NAC) solution called?
Identity Services Engine (ISE)
Which of the following is susceptible to social engineering exploits?
Instant messaging
Which VPN protocol typically employs IPsec as its data encryption mechanism?
L2TP
At which layer of the OSI model do NAT routers operate?
Layer 3 (Network layer)
Which of the following is considered a major problem with instant messaging applications?
Loss of productivity
In which of the following zones would a web server most likely be placed?
Low-trust zone
Which of the following attacks, if successful, causes a switch to function like a hub?
MAC flooding
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with the username admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?
Move the router to a secure server room.
Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks. You are concerned that these computers could pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless antivirus software and the latest operating system patches are installed. Which solution should you use?
NAC
You are configuring the security settings for your network. You have decided to configure a policy that requires any computer connecting to the network to run at least Windows 10 version 2004. Which of the following have you configured?
NAC
Your network devices are categorized into the following zone types: > No-trust zone > Low-trust zone > Medium-trust zone > High-trust zone Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed. Which of the following is the secure architecture concept that is being used on this network?
Network segmentation
Which of the following can make passwords useless on a router?
Not controlling physical access to the router
The IT manager has asked you to create four new VLANs for a new department. As you are going through the VLAN configurations, you find some VLANs numbered 1002-1005. However, they are not in use. What should you do with these VLANs?
Nothing. They are reserved and cannot be used or deleted.
Which of the following BEST describes zero-trust security?
Only devices that pass both authentication and authorization are trusted.
Which of the following is the MOST likely to happen if the firewall managing traffic into the DMZ fails?
Only the servers in the DMZ are compromised, but the LAN will stay protected.
Which of the following does a NAT router use to identify where a host is connected on the switch?
PAT
Which of the following VPN protocols is no longer considered secure?
PPTP
What needs to be configured on a firewall to allow traffic directed to the public resource in the DMZ?
Packet filters
Which classification of attack type does packet sniffing fall under?
Passive
An attacker has gained access to the administrator's login credentials. Which type of attack has most likely occurred?
Password cracking
Which common design feature among instant messaging clients make them less secure than other means of communicating over the internet?
Peer-to-peer networking
Which of the following methods did Microsoft introduce in Windows 10 to help distribute OS updates?
Peer-to-peer software
Which type of application allows users to share and access content without using a centralized server?
Peer-to-peer software
Which of the following NAC agent types is the most convenient agent type?
Permanent
Drag the network attack technique on the left to the appropriate description or example on the right. (Each technique may be used once, more than once, or not at all.)
Perpetrators attempt to compromise or affect the operations of a system. Active attack Unauthorized individuals try to breach a network from off-site. External attack Attempting to find the root password on a web server by brute force. Active attack Attempting to gather information without affecting the flow of information on the network. Passive attack Sniffing network packets or performing a port scan. Passive attack
You are part of a committee that is meeting to define how Network Access Control (NAC) should be implemented in the organization. Which step in the NAC process is this?
Plan
A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred?
Privilege escalation
An attacker has obtained the logon credentials for a regular user on your network. Which type of security threat exists if this user account is used to perform administrative functions?
Privilege escalation
Travis and Craig are both standard users on the network. Each user has a folder on the network server that only they can access. Recently, Travis has been able to access Craig's folder. This situation indicates which of the following has occurred?
Privilege escalation
You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.)
Put the web server inside the DMZ. Put the database server on the private network.
Which of the following are features of an application-level gateway? (Select two.)
Reassembles entire messages Stops each packet at the firewall for inspection
You are implementing security at a local high school that is concerned with students accessing inappropriate material on the internet from the library's computers. The students use the computers to search the internet for research paper content. The school budget is limited. Which content filtering option would you choose?
Restrict content based on content categories.
A proxy server can be configured to do which of the following?
Restrict users on the inside of a network from getting out to the internet.
Which of the following does a router use to determine where packets are forwarded to?
Routing table
Which of the following is another name for a firewall that performs router functions?
Screening router
Which of the following is a benefit of P2P applications?
Shared resources
Which VPN implementation uses routers on the edge of each site?
Site-to-site VPN
You have just installed a packet-filtering firewall on your network. Which options are you able to set on your firewall? (Select all that apply.)
Source address of a packet Destination address of a packet Port number
You are configuring web threat protection on the network and want to block emails coming from a specific sender. Which of the following should be configured?
Spam filter
You manage a single subnet with three switches. They are connected to provide redundant paths between the switches. Which feature prevents switching loops and ensures there is only a single active path between any two switches?
Spanning Tree Protocol
Which VPN tunnel style routes only certain types of traffic?
Split
You have configured your ACL to block outgoing traffic from a device with the IP address 192.168.1.52. Which type of ACL have you configured?
Standard
Which of the following are characteristics of a packet-filtering firewall? (Select two.)
Stateless Filters IP address and port
You are the network administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you with five additional registered IP addresses to support these new servers, but you don't want the public to access these servers directly. You want to place these servers behind your firewall on the inside network, yet still allow them to be accessible to the public from the outside. Which method of NAT translation should you implement for these servers?
Static
You have a small network at home that is connected to the internet. On your home network, you have a server with the IP address of 192.168.55.199/16. You have a single public address that is shared by all hosts on your private network. You want to configure the server as a web server and allow internet hosts to contact the server to browse a personal website. What should you use to allow access?
Static NAT
A VPN is primarily used for which of the following purposes?
Support secured communications over an untrusted network.
A virtual LAN can be created using which of the following?
Switch
When configuring VLANs on a switch, what is used to identify which VLAN a device belongs to?
Switch port
You have implemented a new application control solution. After monitoring traffic and use for a while, you have noticed an application that continuously circumvents blocking. How should you configure the application control software to handle this application?
Tarpit
Which statement BEST describes IPsec when used in tunnel mode?
The entire data packet, including headers, is encapsulated
Which problem does NAT help address?
The shortage of IPv4 addresses
A honeypot is used for which purpose?
To delay intruders in order to gather auditing data
Which of the following types of proxies can be used for web filtering?
Transparent
When configuring VLANs on a switch, which type of switch ports are members of all VLANs defined on the switch?
Trunk ports
You are deploying a brand new router. After you change the factory default settings, what should you do next?
Update the firmware.
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router's console port. You've configured the device with the username admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?
Use SCP to back up the router configuration to a remote location.
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You've configured the management interface with a username of admin and a password of password. What should you do to increase the security of this device?
Use a stronger administrative password.
You are the security analyst for your organization and have recently noticed a large amount of spim on the company mobile devices. Employees rely on the IM app to communicate with each other. Which of the following countermeasures should you implement?
Use an IM blocker.
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID for access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.)
Use an SSH client to access the router configuration. Change the default administrative username and password.
You have a company network that is connected to the internet. You want all users to have internet access, but you need to protect your private network and users. You also need to make a web server publicly available to internet users. Which solution should you use?
Use firewalls to create a DMZ. Place the web server inside the DMZ and the private network behind the DMZ.
Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems. Which of the following is the MOST important aspect of maintaining network security against this type of attack?
User education and training
You run a small network for your business that has a single router connected to the internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer. What should you use for this situation?
VLAN
Which of the following is commonly created to segment a network into different zones?
VLANs
You manage a network that uses a single switch. All ports within your building connect through the single switch. In the lobby of your building are three RJ-45 ports connected to the switch. You want to allow visitors to plug into these ports to gain internet access, but they should not have access to any other devices on your private network. Employees connected throughout the rest of your building should have both private and internet access. Which feature should you implement?
VLANs
Which of the following is the BEST solution to allow access to private resources from the internet?
VPN
A group of salesmen would like to remotely access your private network through the internet while they are traveling. You want to control access to the private network through a single server. Which solution should you implement?
VPN concentrator
As the security analyst for your organization, you have noticed an increase in user computers being infected with malware. Which two solutions should you implement and configure to remedy this problem? (Select two.)
Virus scanner Spam filters
You are configuring web threat protection on the network and have identified a website that contains malicious content. Which of the following should you configure?
Web threat filtering
You are configuring web threat protection on the network and want to prevent users from visiting www.videosite.org. Which of the following needs to be configured?
Website filtering
The IT manager has asked you to create a separate VLAN to be used exclusively for wireless guest devices to connect to. Which of the following is the primary benefit of creating this VLAN?
You can control security by isolating wireless guest devices within this VLAN.
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
You want to protect a public web server from attack.
You are creating a VLAN for voice over IP (VoIP). Which command should you use?
switchport voice vlan [number]